Lessons to learn after fired IT worker pleads guilty to hack attack

Filed Under: Data loss, Law & order, Vulnerability

Username and passwordHow careful is your firm about ensuring that staff who leave for pastures new don't continue to log into your network?

As more and more workers are allowed remote access to IT systems, the issue of how to ensure security is not compromised when they leave your company's employment is an important one.

Whether a disgruntled former employee is opening up systems to spammers, planting malware, or replacing the CEO's presentation with porn, the consequences can be serious.

The latest case concerns IT expert Jason Cornish and the pharmaceutical firm Shionogi.

37-year-old Cornish, from Smyrna, Georgia, worked in Shionogi's IT department, reporting directly to a close friend of his (referred to as "B.N" by the FBI).

Cornish had a dispute with a senior manager at Shionogi and left the firm in July 2010. However, at B.N's suggestion, he was able to continue to work for the company as a paid consultant, because of his knowledge of Shionogi's computer network.

ShionogiThere were clouds on the horizon, however. Shionogi initated a round of layoffs, and Cornish's friend B.N was impacted. When B.N refused to hand over network passwords to Shionogi officials he was suspended and ultimately fired.

Cornish's contract with Shionogi was also terminated, meaning he was no longer authorised to access their computer network after September 2010.

However, Cornish attempted to access Shionogi's network systems on over 20 occasions, and managed to secretly install VMWare's vSphere management console software.

On February 3 2011, things came to a head.

Cornish logged into Shionogi's network from a McDonald's restaurant free WiFi connection, and used the software he had installed earlier to delete the contents of 15 virtual hosts - the equivalent of 88 different computer servers.

Criminal complaint filed against Cornish

An FBI investigation subsequently discovered that the attack had originated at an IP address assigned to the McDonald's restaurant. Cornish's credit card had been used to make a $4.96 purchase at the restaurant five minutes earlier.

Shionogi's American infrastructure was badly impacted - with its corporate email, BlackBerry servers, order tracking system and financial management software all brought down. The company was left unable to ship products or even send emails for a number of days.

In all, Shionogi estimated the damage done had cost them $800,000 (£488,000).

Cornish has now pleaded guilty to the charges of computer intrusion, and faces a maximum sentence of 10 years in prison when he is sentenced in November.

Once again, businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment.

People do, of course, leave jobs all the time and most of them would never dream of logging back in to their old place of work. But it only takes one bad apple to wreak havoc - so make sure your defences are in place, and that only authorised users can access your sensitive systems.

, ,

You might like

9 Responses to Lessons to learn after fired IT worker pleads guilty to hack attack

  1. They should've been using Veeam Software with offisite backups being replicated. No worries.

  2. Carl · 1165 days ago

    it's funny how karma works.. it comes to a full circle lol..

  3. Antony · 1165 days ago

    haha fouled by a plain double cheese bigger and large coke...

  4. Crazy Girl · 1165 days ago

    What a dork - paying a $5 bill with his credit card. Did he want to get caught.

    • Psy-Ko · 1165 days ago

      Was thinking the exact same thing! I mean how hard would it have been to run by the ATM and pull out some cash befor hitting McDonalds. All those brains and no common sense, how sad.

  5. nicolasconnault · 1165 days ago

    Unfortunately there's not a lot you can do to prevent a very clued-in (and sneaky) IT employee from creating back-doors in your system, even months before he/she leaves the company.

  6. Xyon · 1165 days ago

    Can you say "Should've made a few backups"?

  7. Ryan · 1165 days ago

    Most Network Admins would use a grandfather - father - son schema for backing up a network as vast as the one mentioned in the article. Further more, who buys a double quarter pounder and a coke before committing criminal acts at the same location?!

    Common sense isn't common.

  8. lulz · 1165 days ago

    He shouldn't have bought coffee.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.